Skip to content
supplychainattack.orgSupply chain attack incident catalog
activecritical

Malware in internallib_v907

Malware discovered in the npm package internallib_v907. Systems with this package installed are considered fully compromised and require immediate remediation.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Any system with the package installed or running
Ecosystems
Attack vectors
Affected entities
  • internallib_v907

A malicious npm package named internallib_v907 has been identified and published to the npm registry. The package contains malware that grants full control of affected systems to an outside entity.\n\nAny computer with this package installed or running should be considered fully compromised. The advisory recommends immediate rotation of all secrets and keys from a different, unaffected computer. While the package should be removed, complete removal of all malicious software cannot be guaranteed due to the level of system compromise.\n\nThis incident was disclosed via GitHub Advisory GHSA-4jf7-q8jf-84cg on 2026-07-15.

Indicators of compromise

Packages
  • internallib_v907

Remediation

  • Immediately identify all systems with internallib_v907 installed
  • Isolate affected systems from the network
  • Rotate all secrets, keys, and credentials from a clean, unaffected computer
  • Remove the internallib_v907 package from all affected systems
  • Perform forensic analysis to identify any additional malicious software installed
  • Monitor affected systems for signs of compromise or persistence mechanisms
  • Consider full system rebuild or replacement as the package may have granted full control to attackers

Sources

  1. GitHub Advisory GHSA-4jf7-q8jf-84cg · GitHub Advisory Database

Cite this entry

"Malware in internallib_v907." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 15, 2026; last updated July 16, 2026. https://supplychainattack.org/incident/malware-in-internallib-v907-1dlyff

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. activecritical

    Malware in sauruslord-baileys

    The npm package sauruslord-baileys contains malware that grants full control of affected systems. Any computer with this package installed or running should be considered fully compromised.

    npmCompromised package
  2. containedcritical

    ​ ​AsyncAPI npm packages infected with credential-stealing malware

    Five malicious versions of AsyncAPI npm packages were published in a supply-chain attack delivering a remote access trojan with credential-stealing capabilities. The attack compromised the npm package registry with info-stealing malware.

    npmCompromised package
  3. resolvedcritical

    Malicious code in rhynpm (npm)

    The npm package rhynpm was found to contain malicious code. The package was identified by the OpenSSF malicious packages project and reported via GitHub Security Advisory GHSA-5jr8-4283-75xm.

    npmCompromised package
  4. resolvedcritical

    Malicious code in angylarjs (npm)

    Malicious code was discovered in the angylarjs npm package. The package was identified by the OpenSSF malicious-packages project and reported via GitHub Security Advisory GHSA-qqc2-6x9j-cm25.

    npmCompromised package